Microsoft Announces Massive Anti-Botnet Operation

Microsoft this week said that it has worked with the US Federal Bureau of Investigation, major players in the financial services industry, and other industry technology leaders to help thwart a major botnet operation that is responsible for over $500 million in losses to individuals and businesses.

The operation involved a court ordered civil seizure warrant in which Microsoft disrupted 1462 Citadel botnets and millions of infected computers as well as separate but coordinated steps taken by the FBI. Called Operation b54—Microsoft’s seventh anti-botnet operation to date—the effort marks the first time in history that law enforcement and the private sector worked in concert to execute a civil seizure warrant as part of a botnet disruption operation.

“We do expect that this action will significantly disrupt Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business” a Microsoft statement notes. “However, we do not expect to fully take out all of the botnets in the world using the Citadel malware.”

According to Microsoft, it found during an investigation of over a year that Citadel blocked victims’ access to legitimate anti-virus/anti-malware sites, making it difficult for users to remove the threat from their PCs. Additionally, the technology giant noted that the cybercriminals were somehow developing their malware and growing their business by “using fraudulently obtained product keys created by key generators for outdated Windows XP software,” creating a nice opening for another discussion about migrating customers to a newer and more modern Windows version.

Escorted by US Marshals, Microsoft earlier this month seized data and evidence from the botnets, including computer servers from two facilities in New Jersey and Pennsylvania. Microsoft also provided information about the botnets’ operations to international Computer Emergency Response Teams (CERTs), so they could take action against botnets located outside the United States.

Much of the half billion dollars in losses were directly attributed to the cybercriminals recording users’ keystrokes using the Citadel malware and then discovering their access information for banks and other online accounts. About five million people were affected, Microsoft says, with the highest number of infections occurring in the US, Europe, Hong Kong, Singapore, India, and Australia. But there were victims in more than ninety countries worldwide.

“The harm done by Citadel shows the threat that botnets, malicious software, and piracy pose to individuals and businesses around the world,” Microsoft general counsel Brad Smith said. “Today’s coordinated action between the private sector and law enforcement demonstrates the power of combined legal and technical expertise and we’re going to continue to work together to help put these cybercriminals out of business.”

In addition to the FBI and US Marshals, Microsoft says it worked with the the Financial Services – Information Sharing and Analysis Center (FS-ISAC), NACHA – The Electronic Payments Association, the American Bankers Association (ABA), Agari, A10 Networks and Nominum to help thwart the threat.